Ensuring Privacy and Security of

Health information Exchange in

Pennsylvania

EMPOWERING THE NEW

HEATHCARE ERA

THE NJ/DV HIMSS REGIONAL MEETING

NOVEMBER 12—14, 2014

BALLY’S HOTEL & CASINO ATLANTIC CITY, NJ.

Ensuring Privacy and Security of

Health information Exchange in Pennsylvania

Steven J. Fox, Esq.

Principal, Post & Schell, P.C.

William “Buddy” Gillespie, HCISPP

Director Healthcare Solutions, DSS

Introduction

The Pennsylvania eHealth Initiative (PAeHI) is a not-for-profit founded in 2005 by the state’s leading healthcare organizations to transform healthcare by fostering the broader adoption of electronic health records and health information exchange.

In the sharing of patient data, PAeHI recognizes that robust patient privacy and security protections are essential to build and maintain a necessary level of trust among patients, healthcare providers, health plans, and other stakeholders.

PAeHI also believes that a balance must be maintained between the protection of patient privacy and the adequate and timely sharing of patient data at the point of care.

Purpose

This white paper addresses healthcare data privacy and security for electronic information exchange.

The key purpose is to help healthcare providers achieve acceptable data privacy and security assurance for healthcare consumers, while minimizing cost and confusion.

It does not discuss the much broader issues of non-electronic healthcare data privacy or general security technology.

Background

In 2009, PAeHI published a white paper entitled "Ensuring Privacy and Security of Health Information Exchange in Pennsylvania":

This paper was well received and given the distinguished honor of being published in the Spring 2009 HIMSS Journal of Health Information Management (JHIM).

However, since then a lot of changes, coupled with significant progress, have taken place across the healthcare spectrum. To name a few, a growing number of HIEs have achieved sustainability, Meaningful Use Stage I has taken place, and the Final Ruling (Omnibus Bill) for HIPAA was introduced into law.

Executive Summary

Patients are unlikely to share sensitive health

information unless they are confident that their provider

will honor their confidentiality. Similarly, health care

entities are unlikely to join a health information

exchange if they are not confident that their medical

records will be kept safe and that the data will be

flowing securely.

Executive Summary

• A key factor in achieving a high level of trust and compliance among individuals, health care providers, and other health care organizations participating in a health information exchange is the development of, and adherence to, a consistent and coordinated approach to privacy and security

• Clear, understandable and uniform principles are a first step in developing this approach to privacy and security while building trust, which are all essential to the realization of the considerable benefits of HIE.

Executive Summary

• It can be a challenge to adopt clear and uniform privacy and security principles in a legal landscape that seems inconsistent and restrictive.

• Absorbing those principles into a sustainable business model that hits all its required regulatory marks requires strong leadership and the will to get it done to both support the business goals and serve the patients and consumers of Pennsylvania.

Executive Summary

• In 2012, the Commonwealth established the Pennsylvania eHealth Partnership Authority as the governance entity for HIE in the state.

• The Authority is moving forward with all the mandates contained in its founding legislation to provide uniform standards and agreements that are produced in concert with stakeholders, along with freely distributed consumer outreach tools and a state consent registry.

Executive Summary

• PAeHI sees this as the first vital step in Pennsylvania achieving a truly interoperable health information exchange network that both supports and expands the market for such services.

• The broad topic discussions and outlines contained in this white paper are presented as a tool to spur further thinking about the appropriate methods to interface with the legal requirements as to electronic health information privacy and security, the specific requirements within Pennsylvania, and the workplace challenges of technical and administrative implementation.

Key Definitions

• Privacy

– The right to have all records and information pertaining to health care treated as confidential

– Freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue, unauthorized, or illegal gathering and use of data about that individual. (HIMSS, 2006)

Key Definitions

• Security

– The means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction, or loss. (HIMSS, 2006)

– The concepts of confidentiality, integrity, authenticity, and accountability are included in security.

Key Definitions

• Omnibus Final Rules

– The Omnibus final rule clarifications were released in January 2013 to provide additional rulemaking around the HIPAA Privacy and Security Rules.

– The Omnibus rule was based on statutory changes under the HITECH Act and the Genetic Information Nondiscrimination Act of 2008 (GINA).

Key Definitions

• PA eHealth Information Technology Act

– This Act, also known as Act 121 of 2012, established the Pennsylvania eHealth Partnership Authority (Authority) as an independent agency of the Commonwealth and the governance body for the statewide technological health information exchange network it was to build.

Landscape and Roadmap

• The health care industry has had many spirited discussions regarding privacy and security from both the provider and patient perspectives since HIPAA was enacted in 1996.

• The issues surrounding privacy and security continue to challenge all stakeholders regardless of technological sophistication, particularly those involved in the direct delivery of care.

• This tension between privacy and security requires collaborative solutions that fairly balance the competing interests between security implemented from a business perspective and with an eye to the bottom line, and the privacy rights and expectations of individuals as to their medical information.

Landscape and Roadmap

What is Currently Required?

• Policies & Procedures

– Legal

– Regulatory

– Organizational

– Personal

What is Currently Required?

• Policies & Procedures

– Trust Agreements Among Care Providers

• Consumer Consent/Authorization

• Business Associate Agreements

• Data Use & Reciprocal Support Agreements (DURSA)

• Risk Management & Framework

• Identification of Threats

• Mitigation Strategies

• Communication with Stakeholders

What is Currently Required?

• Conforming to Policies & Controlling Risks

– Administrative Controls

– Procedural Controls

– Physical and environmental Controls

– Technical Controls

– Handling Residual Risk

What is Currently Required?

• Workforce Considerations

– Security is about people & culture

– Appropriate & repeated training is key to successful health information sharing

– Most breaches due to employee mistakes & negligence, not hacking or bad intent

– BYOD contributes to increasing risk

– More privacy & security risk assessments would reduce frequency of unintentional data breaches

What are Enabling Solutions?

• Best Practices

• Stakeholder Education

• Key Technical Properties

• Demonstration & Model Projects

What are New Compliance Challenges?

• Checkbox Compliance

• PHI Ownership & Disposal

• Proprietary EHRs/HIEs

• Convergence of HIOs & Social Media

• BI and Data Analytics

What are Emerging Areas of Risk?

• Cloud Hosting

• Cyber Security Insurance

• Cyber Attacks

• Mobile Device Management & BYOD

• Physician & Patient Portals

• Backup and Disaster Recovery

Key Documents

Data Use and

Reciprocal Support

Agreement

(DURSA)

Business Associate

Agreements (BAA)

PA Opt-Out Form http://

What are Late Breaking Updates?

•HIPAA and Ebola (OCR Bulletin)

•Super Protected Data

HIPAA and Ebola

• HHS Office of Civil Rights (OCR) issued a Bulletin on Nov. 10,

2014: HIPAA Privacy in Emergency Situations

– To ensure that covered entities & business associates are aware of the ways

in which patient information may be shared under HIPAA Privacy Rule in an

emergency situation; and

– To serve as a reminder that the protections of the Privacy Rule are not set

aside during an emergency

– HIPAA Privacy Rule protects patients’ PHI (protected health information), but

allows appropriate uses & disclosures to treat a patient, to protect the

nation’s public health and for other critical purposes

– See:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/emer

gencysituations.pdf

HIPAA and Ebola (OCR Bulletin cont’d.)

Sharing Patient Information

• Treatment

• Public Health Activities

– To a public health authority (e.g., CDC)

– To a foreign government agency, at direction of pub. health auth.

– To persons at risk of contracting or spreading a disease or condition,

if authorized by other (state) law

• Disclosures to Family, Friends & Others Involved in an Individual’s

Care and for Notification

HIPAA and Ebola (OCR Bulletin cont’d.)

Sharing Patient Information (cont’d.)

• Imminent Danger

• Disclosures to the Media or Others Not Involved in the Care of the

Patient

• Minimum Necessary

• Business Associates

HIPAA and Ebola (OCR Bulletin cont’d.)

Safeguarding Patient Information in Emergency

Situations

Covered Entities must:

• Continue to implement reasonable safeguards to protect patient

information against intentional or unintentional impermissible uses

and disclosures

• Apply the administrative, physical & technical safeguards of the

HIPAA Security Rule to electronic protected health information

(EPHI)

HIPAA and Ebola (OCR Bulletin cont’d.)

Other Information

• Limited Waiver

– HIPAA Privacy Rule is not suspended during public health or other

emergency; however

– Secretary of HHS may waive certain provisions of the Privacy Rule

under the Project Bioshield Act of 2004 (PL 108-276) and section

1135(b)(7) of the Social Security Act

– If the President declares an emergency or disaster and the

Secretary declares a public health emergency, the Secretary may

waive (for up to 72 hours) sanctions & penalties against a covered

hospital that does not comply with the following provisions of the

HIPAA Privacy Rule (additional limitations apply):

HIPAA and Ebola (OCR Bulletin cont’d.)

Other Information

• Limited Waiver (cont’d.)

• the requirements to obtain a patient's agreement to speak with family

members or friends involved in the patient’s care. See 45 CFR

164.510(b);

• the requirement to honor a request to opt out of the facility directory.

See 45 CFR 164.510(a);

• the requirement to distribute a notice of privacy practices. See 45 CFR

164.520;

• the patient's right to request privacy restrictions. See 45 CFR

164.522(a); and

• the patient's right to request confidential communications. See 45 CFR

164.522(b)

HIPAA and Ebola (OCR Bulletin cont’d.)

Other Information (cont’d.)

• HIPAA Applies Only to Covered Entities and Business Associates.

Privacy Rule does not apply to:

– Disclosures made by entities or other persons who are not covered

entities or business associates

– Family members who choose (with or without the patient’s

permission) to disclose information

– News and other media, regardless of how the information was

obtained

– Clergy, friends or neighbors of patients

Super Protected Data

• What is Super Protected Data (SPD)?

– HIV and AIDS

– Mental Health

– Drug and Alcohol

Super Protected Data

• Committee Work– Outreach

• SPD Communities

• Commonwealth Advisory Councils

• Department of Public Welfare-Office of Mental Health

and Substance Abuse Services

• Department of Drug and Alcohol Programs

• Department of Health

Super Protected Data

• Committee Recommendations– Recommendation #1:

• Create Health Information Exchange education and

guidance on appropriate sharing while

protecting the privacy of Super Protected Data.

Super Protected Data

• Committee Recommendations– Recommendation #2:

• Develop a list of common Super Protected Data codes and

terms.

Super Protected Data

• Committee Recommendations– Recommendation #3:

• Engage in national Super Protected Data, data

segmentation conversations.

Super Protected Data

• Next Steps– Continue committee conversations

– Refine recommendations

– Consider new suggestions

– Prepare recommendations for board consideration

– Continue outreach and education

– Suggest stakeholder groups

– Engage in federal discussions

– Suggest forums

Contributors

PA eHealth Initiative www.paehi.org

– Robert Torres, Esq.

– Steven J. Fox, Esq.

– William “Buddy” Gillespie

– Dr. Chris Cavanaugh

– And special thanks to the PAeHI Committees (BHOX

and Policy)

PA eHealth Partnership Authority www.paehealth.org

– Alix Goss

– Rebecca Roberts

For further information: www.paehi.org

Steven J. Fox

Chair, Policy Committee

sjfox@postschell.com

William “Buddy” Gillespie

Chair, Business, Health Outcomes and HIE Committee

wgillespie@dsscorp.com

Thank You !